on 02-22-2017 7:20 AM
I added the trnaction RZ20 and assigned authority object S_RZL_ADM with activity 03 (Display only) to a role.
Even having only display authorization this user is allowed to change (delete,save,copy.etc) the method.
What did I miss to allow the it as display-only authorization?
Thank you.
Jhiosa
Hi Jhiosa,
You can set a trace (Transaction ST01) for your user to know which authorization objects allow to you to do it.
After that you can check in transaction SUIM what this is the role assigned to you that contains this authorization object.
Kind regards,
Maria
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Note that the S_RZL_ADM concept is slightly tricky: You can execute external OS programs with this authorization. When doing so from ABAP, the application executing the program must decide whether the external program is relatively harmless and does not change anything (ACTVT = '03') or whether it contains functions which are potentially critical or can start any external program (ACTVT = '01').
SM36 for example only checks '01', as outside of logical commands, it cannot know or control what the external program does. In contrast, if the application runs a specific external program and knows what is does and classes it as non-critical, then it should check '03'.
But those are the only two values available and non-critical does not necessarily mean display only.
So you are sometimes stuck between a rock and a hard place...
Best practice is to use S_LOG_COM or an auth object closer to the application within the application and then let the OS access (like the DB access) be authorization neutral.
Cheers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Fraser,
Thank you for responding the mis-tagged. I checked the other related authorization and that they are all in display access.
I was informed that I can implement the attached note 2382409 - Optimization of authority concept in RZ20 to be able to access RZ20 as Display-only role.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you confirmed that the user isn't getting the extra authorizations from another role assignment?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.